Add internet access control tests

Change-Id: Ic5d2132e20afa35cbb1b73775d16b1033d0f9660

diff --git a/src/security-manager-tests/run-security-manager-no-smack-tests.sh b/src/security-manager-tests/run-security-manager-no-smack-tests.sh
index 2beae6a32a3d1bad047c8019a6e027ba3dc7a102..c7990166a6834026023ab92af3afbc6e58bac400 100644 (file)
--- a/src/security-manager-tests/run-security-manager-no-smack-tests.sh
+++ b/src/security-manager-tests/run-security-manager-no-smack-tests.sh
@@ -70,6 +70,8 @@ required=(
        security_manager_11b_set_identity_privileged
        security_manager_11c_set_identity_app_no_author
        security_manager_11d_set_identity_app_author
+       security_manager_12a_internet_access_positive
+       security_manager_12b_internet_access_negative
        app_defined_06_get_provider
        app_defined_07_get_provider_license
        app_defined_08_add_get_license_with_untrusted_priv

diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp
index 46f3451969cdf8216171dfcf70833c8dfb46c3d6..875036e3743489bf403649d413f10a48665b6753 100644 (file)
--- a/src/security-manager-tests/test_cases.cpp
+++ b/src/security-manager-tests/test_cases.cpp
@@ -809,6 +809,64 @@ RUNNER_CHILD_TEST(security_manager_11d_set_identity_app_author)
     }
 }
 
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INTERNET)
+
+namespace
+{
+    [[nodiscard]] int ping() {
+        FILE *in;
+        RUNNER_ASSERT(in = popen("curl -o /dev/null example.com", "r"));
+        return pclose(in);
+    };
+}
+
+RUNNER_CHILD_TEST(security_manager_12a_internet_access_positive)
+{
+    TemporaryTestUser testUser("sm_test_12a_internet_access", GUM_USERTYPE_NORMAL);
+    testUser.create();
+    AppInstallHelperExt app("sm_test_12a", "sm_test_12a", testUser.getUid());
+    app.addPrivilege(PRIV_INTERNET);
+    ScopedInstaller appInstall(app);
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid != 0) {
+        // wait for child to exit before uninstallation
+        waitPid(pid);
+        Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
+    } else {
+        // child - the actual application
+        RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
+        Api::prepareAppCandidate();
+        Api::prepareApp(app.getAppId());
+
+        RUNNER_ASSERT_MSG(ping() == 0, "No internet access while the privilege is present");
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative)
+{
+    TemporaryTestUser testUser("sm_test_12b_internet_access", GUM_USERTYPE_NORMAL);
+    testUser.create();
+    AppInstallHelperExt app("sm_test_12b", "sm_test_12b", testUser.getUid());
+    ScopedInstaller appInstall(app);
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid != 0) {
+        // wait for child to exit before uninstallation
+        waitPid(pid);
+        Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
+    } else {
+        // child - the actual application
+        RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
+        Api::prepareAppCandidate();
+        Api::prepareApp(app.getAppId());
+
+        RUNNER_ASSERT_MSG(ping() != 0, "Internet access detected despite no privilege");
+    }
+}
+
 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
 
 RUNNER_TEST(security_manager_20_user_cynara_policy)